Glossary / Authorization
OAuth 2.0
OAuth 2.0 is an authorization framework that lets an application obtain limited access to a user's resources on another service without handling the user's password, by exchanging tokens.
Also: OAuth, OAuth 2.1
OAuth 2.0 is the standard for delegated authorization. It lets a user grant an application access to specific resources held by another service, scoped and revocable, without sharing a password. The application receives an access token and uses it to call the resource on the user’s behalf.
The framework defines roles (resource owner, client, authorization server, resource server) and flows for different client types. The authorization code flow with PKCE is the recommended pattern for web and mobile apps. OAuth 2.0 handles authorization, meaning access to resources; it does not by itself prove who the user is.
OAuth 2.1 is an in-progress IETF effort that consolidates OAuth 2.0 and its security best practices into a single document, removing flows now considered unsafe. In CIAM, OAuth underpins API access and is the layer OpenID Connect builds authentication on top of.
Sources
- IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749
Related terms
Standards
- IETF RFC 6749
- IETF OAuth 2.1 (draft)